The role of ethical hackers is increasingly critical as cybercriminals get more sophisticated in their methods and techniques.
With a duty to inform, these experts are tasked with responsibly disclosing their findings to a business when a vulnerability is uncovered, especially if the risk is severe.
It is a process Inti De Ceukelaire, chief hacker officer at cybersecurity firm Intigriti, is all too familiar with, and one that he says has come with huge risks in the absence of whistleblowers laws in Europe.
“I would just shoot companies an email and say, ‘I don’t have any bad intentions. I just think that this is something that you should know about,’” he told PYMNTS in an interview, adding that he never wanted to get in trouble or be penalized for doing the right thing.
But he got increasingly frustrated when companies would give him the cold shoulder, especially when it involved uncovering large amounts of confidential data like medical records, Social Security numbers or government information threatening the safety of thousands of people.
“I’m talking about companies making billions and we’re exposing their customer data, but they didn’t care. They didn’t even bother to respond to my emails, and sometimes it was very hard to even find the proper email address,” he noted about the 100-plus companies he reached out to.
De Ceukelaire did eventually ruffle some feathers, and given that all forms of hacking were illegal in Belgium at the time, he was ultimately arrested when a Belgian company sued him for disclosing a vulnerability in their systems.
But he was one of the lucky ones. “If you don’t commit the [same] crime in over a year, then basically there will be no consequences. So, I got off quite well than other people I know, for which it’s been a disaster. Some of them even faced jail time for it,” he said.
Fortunately, however, policy is now keeping pace with developments in cybersecurity, he noted, pointing to a newly adopted legal framework that was launched in Belgium this month under the Belgian Whistleblowers Act with strong protections for ethical hackers and bug bounty hunters.
“Ten years ago, I got sued for responsibly disclosing a vulnerability in a Belgian company. [But] starting tomorrow, Belgium will be the first country in the world where unauthorized testing is no longer punishable by law,” De Ceukelaire said in a LinkedIn post following the announcement. “Great time to frame my ‘criminal’ record, as a testament to legislation that can change when enough people fight for it!”
Despite the whistleblower directive now in place, De Ceukelaire said the expectation is that implementation will be slow as new European regulations around vulnerability disclosures get introduced in the coming months.
But it’s a step in the right direction, he said, and will likely result in many companies which previously did not have any experience with bug bounty hunting or responsible disclosure policies to get with the times because “all of a sudden anybody can [legally] test them.”
He said this is where Intigriti comes into play, leveraging its expertise to support firms in their policy-making processes and making it easy for them to understand what needs to be done to comply with the evolving rules and regulations.
“In Belgium alone, Intigriti has more than 3,000 registered [ethical] hackers,” he pointed out. “So, there’s a lot of people waiting to test out their grocery store or public transportation service and we want to make sure that these hackers deliver value.”
Meanwhile, despite machine learning and artificial intelligence (AI) tools playing a bigger role in fighting cybercrime, he said the technology has serious limitations and its impact on cybersecurity is overhyped by firms who have placed too much trust in its ability to combat cybercrimes.
“AI can be easily fooled. I’ve seen it write more programming mistakes and introduce more cybersecurity vulnerabilities than a normal person would do,” he explained.
He added that while AI is good at detecting patterns and has been instrumental in finding solutions to cybersecurity risks, patterns continuously change, which handicaps the ability of AI-based security products to perform effectively — at least for now.
“I don’t think that a definitive AI solution against hackers is coming soon, and even in the short-term it may introduce more problems than will fix problems,” he argued.
It’s the reason why busting the AI hype is going to be one of the biggest cybersecurity trends we see this year, he said, providing ethical hackers with opportunities to further expose the loopholes and dangers in using the technology.
“Whenever there’s an experimental technology there’s a hype cycle,” De Ceukelaire said. “I’m sure so many companies have an AI budget now and tend to get overconfident with [this technology]. And that is good for people like us to break it down.”
For all PYMNTS EMEA coverage, subscribe to the daily EMEA Newsletter.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More